RFC: Automate dependency updates with Depfu about readme HOT 10 CLOSED

@kajatiger - love the idea of a dep rotation; looking at force for example, or Palette, or any of our other web areas its clear things are very much out of date in places. Having a rotation like that would also help devs get more involved with the tooling aspect of our codebases.

However! That part of this RFC should be a separate RFC just because its a significant process switch, and in regards to DepFu, there's a lot to talk about as we already have some competing dep managers in place.

Do you think you could break this into two RFCs?

from readme.

A lot of progress has been made to better surface the security information from Dependabot.

This Looker dashboard lists all the vulnerabilities by team and repository: link 🔒

This Notion document describes how we are using Dependabot: link 🔒

from readme.

Love the idea of a rotation and have heard good things about depfu.

from readme.

Does it cover languages other than Ruby?

If this RFC is accepted it might be good to outline a full migration path in the resolution section, and loop in some repo maintainers to help things along.

from readme.

Depfu covers all Ruby, JS and Elixir projects.

from readme.

Can you clarify how you mean that Dependabot's not configurable? It seems similar in most respects.

I'm not married to Dependabot, but do see a lot of value in being consistent across repositories. I wouldn't want something as foundational as dependency management to vary without good reasons.

from readme.

Okay @damassi thanks for your suggestion. I split the RFCs in two now and it does make more sense to discuss things separately.

from readme.

Since renovate (in the repos it is active on) works, but I agree it can be hard to configure, I'd like to try depfu and see how it feels as well.
Eigen has renovate with a bunch of stuff disabled, which is not helping. I could add depfu on echo, which is much smaller, and help compare too. 🤔

from readme.

Cool! Definitely like the idea of having consistent, easy-to-understand dependency updates for all of Artsy's repos.

Something I think this RFC should cover: how much would Depfu cost for Artsy? And how much work would it take to set up and maintain?

from readme.

Thank you @icirellik ! I still find the dependabot config a bit counter intuitive and also from our configurations now it is conflicting with the other RFC about a rotating depency update routine. But I guess this can be discussed individually on a team level and repo level.
In order to gain some insight on how to configure dependabot there are documentations here: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates

So sadly closing this RFC now.

Resolution

We decided to leave things as they are.

Level of Support

5: Unclear Resolution.

Additional Context:

Some people were in favor of it, but some people did not see the benefits of the change.

Next Steps

We will stick to dependabot.

Exceptions

None

from readme.